Release the version 1.0.3

Delete setuid/setgid capabilities from mysqld_t
devexp-db · Mar 16, 2021 · a84c1d3 · a84c1d3
1 parent ee0f328
commit a84c1d3
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/mysql.te b/mysql.te
@@ -67,8 +67,8 @@ files_pid_file(mysqlmanagerd_var_run_t)
 # Local policy
 #
 
-allow mysqld_t self:capability { dac_read_search  ipc_lock setgid setuid sys_nice sys_resource net_bind_service };
-dontaudit mysqld_t self:capability sys_tty_config;
+allow mysqld_t self:capability { dac_read_search  ipc_lock sys_nice sys_resource net_bind_service };
+dontaudit mysqld_t self:capability sys_tty_config
 allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
 allow mysqld_t self:fifo_file rw_fifo_file_perms;
 allow mysqld_t self:shm create_shm_perms;
@@ -196,6 +196,7 @@ optional_policy(`
 # Local mysqld_safe policy
 #
 
+# setuig/setgid may be used in mysqld_safe and mysqld_safe_helper
 allow mysqld_safe_t self:capability { chown dac_read_search setgid setuid fowner kill sys_nice sys_resource };
 dontaudit mysqld_safe_t self:capability sys_ptrace;
 allow mysqld_safe_t self:process { setsched getsched setrlimit };